Difference between revisions of "Wiimms mkw-ana (tool)"

Revision as of 16:30, 14 March 2013

Wiimms mkw-ana
File:Wiimms-SZS-Tools.png
Author:	Wiimm
Operating Systems:	Linux (i386,x86_64), Windows (cygwin).
Software Type:	Mario Kart Wii network analyzer
File Formats:	PCAP 2.4 (tcpdump), BMG (text).
Current Version:	0.08, 2013-03-14

The tools mkw-ana is a new project by Wiimm to analyze the network protocol of Mario Kart Wii.

In Progress

This article is managed by Wiimm, the developer, and will grow slowly. Feel free to edit typos and grammatical or speech issues.

Intention

In November 2012, Wiimm decided to analyze the network protocol of Mario Kart Wii. The main goal was to discover online cheaters. Another goal is to set up his own server if any time Nintendo will shut down its servers.

So the main feature is to dump the packets of a tcpdump (done by tcpdump or wireshark) in a user-friendly format. After first experiments, it becomes also a live racing statistic tool.

Terms and definition

Template:MKWii Network Terms

The Tool

Change log

Show text

mkw-ana v0.00 r1174 - 2012-12-06

 - Start of the project.


mkw-ana v0.01 r1177 - 2012-12-06

 - Understanding a PCAP v2.4 dump and filtering relevant data.
 - Live logger of race data.


mkw-ana v0.02 r1308 - 2013-01-05

 - Command driven tool:
    Commands: HELP, DEVELOP, TEST, DUMP1, DUMP2, DUMP3, DUMPX, DUMP, CLIENTS,
	      USERS, RECORDS, STAGES, LOG, RACE.
    Options: --help --width --sleep --old --new --receive --send --length
	     --index --stage --type --TYPE --brief --long --one-line --ascii
	     --hex-only --log --md --mdx --mii dir       

mkw-ana v0.03 r1343 - 2013-01-11

 - New command: FLOWRATES: Print flowrates of the data stream.
 - New command: TOTALS: Print only the final total tables of the LOG output.
 - New options: --skip=float --term?float --combine: Use only parts of the
   input dumps and combine It logical to one stream.
 - New option: --write=file: Write the filtered dump to a new file.
 - New option: --home: Define an IP as home client. If not set, the first
   sender is used. And this is sometimes wrong.
 - New option: --rel: Print relative time stamps.


mkw-ana v0.04 r1370 - 2013-01-29
 - New record types: RACE_HEAD, RACE_DATA1, RACE_DATA2: Split the old race
   data into a header and 1 or to player data records.
 - Optimized stage detecting.
 - New option: -p --no-proxy: Ignore proxy records.
 - New option: -f --follow: Follow last input file like 'tail -f'.
 - New options: --php --phpx: Create a php script with racing results after
   each race.


mkw-ana v0.05 r1414 - 2013-02-08
 - Different stages renamed.
 - Optimized stage detecting.
 - New record types: CONNECT, HELLO, ANNOUNCE: Used for handshaking.
 - New record types: STATUS_* (00|04|08|0C|10): Different status messages
   about active players and slot arrangements.
 - New stages: SELECT_* (0|1|1S|2): Track selection before race.
 - Command LOG and md/php export: Show user name and index of voted and
   selected tracks.
 - New option: -2 --sep-lines: Dump one line per record & an empty line
   between records.


mkw-ana v0.06 r1453 - 2013-02-20

 - New rcord types: PREFIX_* (0..4): 4 different record variants before a
   USER record: 0,3: unknown, 1:start an event, 3:send a room message.
 - New stages: START_EVENT: Start of an event (GP, TEAM, BATTLE or COIN).
 - New options: -q --quiet -v --verbose: Decrease and increase verbose level.
 - New option: DUMP3 -d --delta: Print unchanged bytes as '--'.
 - New option: --bmg=file: Read a BMG text file to scan online chat messages
   and track, drive and vehicle names and disable auto load of BMG files.
 - New option: --team=file: Read a text file for team assignments and disable
   auto load of team files.
 - Command LOG and md/php export: Show user and name of selected tracks.
 - Command LOG: Show driver and vehicle for each player (Miis are buggy).


mkw-ana v0.07 r1475 - 2013-02-24

 - New user interface with an extended and command dependent built-in help.
   Command only allow options with impact to the command.
   Try "mkw-ana HELP", "mkw-ana HELP command" or "mkw-ana HELP OPTIONS".
 - Command LOG and md/php export: Show driver and vehicle for each player,
   if a BMG with names is loaded.


mkw-ana v0.08 r1509 - 2013-03-14

 - Detection of different network packet types:
   ARP, IP, IMCP, TCP, UDP and DNS(UDP).
 - The engine class (50cc, 100cc, 150cc, mirror) is now detected.
 - The 2 new options --receive-ip and --send-ip allow to specfy addresses as
   output filter like --receive and --send for the home client.
 - New command: DUMP0: Print a raw dump of all packets. This dump can be used
   for all network dumps, not only for MKWii.
 - New command: DNS: Print DNS and optional ARP packets in human readable
   format. This command can be used for all network dumps, not only for MKWii.
 - Command 'HELP COMMANDS' prints a list of all commands and 'HELP OPTIONS'
   a list of all global and command specific options.

Built-in Help

Let's start with the built-in help as an overview about the tool:

Show text


mkw-ana v0.08/x86_64 r1509 -- Dirk Clemens -- 2013-03-14
--------------------------------------------------------

mkw-ana : Analyze network dumps (created by tcpdump) and print summaries.

Syntax: mkw-ana [option]... command [option|parameter|file]...


Commands:

  VERSION         : Print program name and version and exit.
  HELP      | H   : Print help and exit. If the first non option is a valid
                    command name, then a command specific help is printed.
                    Command 'HELP COMMANDS' prints a list of all commands and
                    'HELP OPTIONS' a list of all global and command specific
                    options.
  ARGTEST         : This debug command accepts all kinds of parameters and
                    prints one line for each parameter or option.
  TEST            : Test options: All options are allowed, some are printed.
  ERROR     | ERR : Translate exit codes to message names. If no exit code is
                    entered, print a table with all error messages.

  DUMP0     | D0  : Print a raw dump of all packets. This dump can be used for
                    all network dumps, not only for MKWii.
  DUMP1     | D1  : Packet based hex dumper.
  DUMP2     | D2  : First record based hex dumper.
  DUMP3     | D3  : New and improved variant of DUMP2 (record based).
  DUMP      | D   : Use the best/latest dumping mode (depends on options). At
                    the moment DUMP is an alias for DUMP3.

  FLOWRATES | F   : Print flowrates of the data traffic. This command can be
                    used for all network dumps, not only for MKWii.
  DNS             : Print DNS and optional ARP packets in human readable
                    format. This command can be used for all network dumps, not
                    only for MKWii.

  CLIENTS   | C   : List all clients.
  USERS     | U   : List all users.
  RECORDS   | R   : Print all record names.
  STAGES    | S   : Print all stages.
  LOG       | L   : Print all stages including tables.
  TRACKS          : Print all track selections.
  TOTALS    | T   : Print all totals as text dump.

  RACE            : Live hex dump of senders race statistics to the screen.

Type 'mkw-ana HELP command' to get command specific help.

Global options:

  -V --version      Stop parsing the command line, print a version info and
                    exit.
  -h --help         Print help and exit. If the first non option is a valid
                    command name, then a help for the given command is printed.
     --xhelp        Stop parsing the command line and print a help message with
                    all commands included. Exit after printing.
     --width width  Define the width (number of columns) for help and some
                    other messages and disable the automatic detection of the
                    terminal width.
  -q --quiet        Be quiet and print only error messages. All previous
                    --verbose are canceled. Multiple usage is possible. The
                    impact is command dependent.
  -v --verbose      Be verbose and print more progress information. All
                    previous --quiet are canceled. Multiple usage is possible.
                    The impact is command dependent.
  -A --allow-all    Usually commands accept only options with impact to the
                    command. All other options fire an syntax error. But if
                    --allow-all is set, all commands accept all options.
     --old          Use old implementation if available. All previous --new are
                    canceled.
     --new          Use new implementation if available. All previous --old are
                    canceled.

     --bmg file     Read a BMG text file to scan online chat messages and
                    track, drive and vehicle names. Disable auto load of BMG
                    files. Multiple usage allowed
     --team file    Read a text file for team assignments and disable auto load
                    of team files. Multiple usage allowed

Command specific options with common description:

     --adjust float  Adjust time stamps of the network dump by adding 'float'
                     seconds. This may help to synchronize different dumps.
     --skip float    Skip first 'float' seconds of each read network dump.
                     Negative values are relative to the end (or ignored for
                     pipes).
     --term float    Terminate each dump at 'float' seconds. Negative values
                     are relative to the end (or ignored for pipes).
     --combine       Logical combine network dumps to one single dump before
                     executing options --skip and --term.
  -f --follow        Don't close the last input dump on reaching end of file.
                     Instead wait for appended data. This works like the unix
                     tool 'tail -f'.
     --ip addr       Define an address (IP or DNS name) for filtering. Only
                     packets from an to this host are accepted, all others are
                     ignored.
     --home addr     Define an address (IP or DNS name) as home client.
                       Without this options, the tool tries to determine the
                     home client by analysing sender and receiver of the first
                     non filtered packet. A local network (10/8, 172.16/12,
                     192.168/16, 169.254/16) has priority over a non local
                     network. If sender and receiver have the same priority,
                     the IP of the sender is used.
     --wii addr      Define an address (IP or DNS name) as home client and for
                     filtering. This options is a shortcut for '--home addr
                     --ip addr'.
     --write file    Write filtered network packets as PCAP v2.4 to 'file'.

  -p --no-proxy      Don't dump proxy packets (packets, which contains a PROXY
                     record).
  -r --receive       Dump only network packets received by the home client
                     (option --home) or allowed by --send, --receive-ip or
                     --send-ip.
  -s --send          Dump only network packets send by the home client (option
                     --home) or allowed by --receive, --send-ip or
                     --receive-ip.
     --receive-ip addr 
                     Dump only network packets received by the entered address
                     (IP or DNS name) or allowed by --send-ip, --receive or
                     --send. --rip is a short cut for --receive-ip.
     --send-ip addr  Dump only network packets send by the entered address (IP
                     or DNS name) or allowed by --receive-ip, --send or
                     --receive. --sip is a short cut for --send-ip.
  -L --length ranges Dump only UDP packets with specified UDP data length. The
                     8 bytes long UDP header does not count.
                       The parameter is a comma separated list of INDEX,
                     INDEX1:, INDEX1:INDEX2 and INDEX#LENGTH elements.
  -S --stage list    Dump UDP packets only, if one of the entered stages is
                     active.
                       The parameter is a comma separated list of stage names,
                     optional preceeded by '+' (enable) or '.' (disable). Type
                     'mkw-ana test' for a list of stages or use the dumps to
                     identify stage names.
  -t --type list     Dump UDP packets only, if at least one record of the
                     packet match the entered record list.
                       The parameter is a comma separated list of record names,
                     optional preceeded by '+' (enable) or '.' (disable). Type
                     'mkw-ana test' for a list of records or use the dumps to
                     identify record names.
  -T --TYPE list     Same as --type except for command DUMP3.

  -b --brief         If set once, the dump header (timestamp and client info)
                     of single line dumps becomes smaller. If set twice,
                     timestamp and client info are not printed. All previous
                     --long are canceled.
  -l --long          This option is relevant for single line dumps. usally the
                     time format is printed as 'MM:SS.s' to keep the lines
                     small. If set once, 'HH:MM:SS.s' is used. If set twice,
                     'HH:MM:SS.sss' is used. All previous --brief are canceled.
     --rel           Print timestamps as seconds relative to the beginning.
                     Dependent of option --long the foramts are: 'SSSSS',
                     'SSSSS.s' or 'SSSSS.sss'
     --rel-info      Like --rel, but reset the origin whenever a reference time
                     is defined in the info file.
  -1 --one-line      Print the hexdumps as one line for each object. This makes
                     the dumps horizontal very large, but it is good for
                     comparing objects of the same type. Very helpful is to
                     pipe the output to 'less -S', which supports horizontal
                     scrolling.
                       If set twice, some record types are not split into sub
                     records.
  -2 --sep-lines     Dump one line per record (like option --one-line) and an
                     empty line between packets.
  -a --ascii         Append an ASCII character dump behind the hexdump. This
                     option is ignored if using --one-line.
  -x --hex-only      Some known values, records or packets are printed in
                     native format instead as hex number. If option --hex-only
                     is set, all data is printed as hex number. --hex is a
                     short cut.
  -d --delta         If set, record data is compared with the data of the
                     previous record of same type and client. If a byte is
                     unchanged, a '--' is printed intead of 2 hex digits.
  -I --index ranges  Dump only bytes selected by the range list. This make the
                     hex dump smaller especially for one-line dumps.
                       The parameter is a comma separated list of INDEX,
                     INDEX1:, INDEX1:INDEX2 and INDEX#LENGTH elements.

     --log file      Log into the file using the same output as command LOG. If
                     first character of 'file' is a '+', append data to an
                     already existend file.
     --md file       Create a MakeDoc script with results after each race.
     --mdx file      Create a MakeDoc script with results after each race. Same
                     as --md, but replace %E, %R, %N and %T in the filename by
                     'event id', 'race id', 'total race' and 'event type' to
                     create different files.
     --php file      Create a php script with results after each race.
     --phpx file     Create a php script with results after each race. Same as
                     --php, but replace %E, %R, %N and %T in the filename by
                     'event id', 'race id', 'total race' and 'event type' to
                     create different files.
     --sleep float   Sleep 'float' seconds after a race has finished. This
                     option slows down a simulation run direct after logging
                     and printing the race statistics.

     --mii dir       Extract Miis to the already existing directory 'dir'.
                     Existing Mii files will be overwritten.

General Description

The tool started as simple hex dumper reading network dumps in PCAP format. In the first phase of the tool, the textual dumps of whireshark and tcpdump were much better. But after only a few days, the tool learned to handle records, clients, users, friend codes and Miis. From this moment the tool was better to analyze the Mario Kart Wii traffic.

Now, mkw-ana split the traffic into records and scans some data to detect stages of the online meeting. Stages are for example room, prepare race, count down, racing and end of race. It is able to separate races into events (grand prix and team rand prix) and to calculate racing tables. Racing data can also be exported to support live statistics.

At the moment there are three different kinds of hexdumps. All 3 are able to dump in one line mode to have large tables. Tool less is here a very good tool for vertical and horizontal scrolling. The stages are includes into the dump as comment lines. The dumped records can be filters by sending, receiving, proxy, record types, stage types and packet length. It is also possible to select the dumped bytes by indices and ranges.

Another feature is, that mkw-ana can read comment files. If making videos of the dumped meetings, you can write such comment file. Each line starts with a timestamp followed by a comment. Virtual Dub is a good tool for this job. Then you must synchronize the comment file with the network dump. The start of the first game ("GO" in the video) is a very good point for synchronization. Here is an example of a comment file (in german):

>2012-12-05 19:10:39.745 - 12:22.792
0:00:00.000 Video Start

0:12:22.792 Rennen 1.1, GO!
0:12:54.123 Tinti wird angekündigt, T=0:31.322
0:14:17.924 Power wird angekündigt, T=1:55.120
0:15:33.633 Blitz schlägt ein, T=1:35.326
...

Notes

The first line ist the real time of the start of the race minus the video time stamp. This is the synchronisation. An synchronisation can be done multiple times.
The line with video timestamp and comment follow. The focus of the comment change as the point of interest.

???

Dumping Data

Options

Download

Here is the v0.08 of the tool mkw-ana: mkw-ana-v0.08-r1509.zip (320 kB)

It contains binaries for:
- Linux i386
- Linux x86_64
- Cygwin/Windows (A Cygwin system must be installed).
Some scripts as examples.
Some BMG text examples.
Some doc files.

It is an alpha distribution and and only minimal support will be given at the moment.

Capture the network data

First you must capture the network traffic of the Wii. Therefore you must redirect it to a PC running a capture software. There are 3 general ways to to this:

If you have a manageable switch, enable port mirroring and send all Wii traffic to a PC.
Use your PC as router.
Use old network hubs (not switches). A hub will mirror all traffic of all ports to all others; it's just a multi port repeater and will slow down your network.

Use a software like tcpdump or wireshark to capture the data. Best is to save the captured data directly to a file or to send it to other commands like mkw-ana for a live analysis.

It's also possible to save the data to a file and to make a live analysis at the same time. Use the following command pipe:

tcpdump -w- -U -i eth1 host wii | tee save.dump | mkw-ana ...

If using wireshark, save the dump to a file and use the following command for a live analysis:

mkw-ana --follow DUMPFILE ...

Live Statistics

mkw-ana can scan the network traffic in real time and can produce makedoc or php data files. Together with ssh and an cgi script, a live statistic is created. Live means that the tables are updates 2-5 seconds after the race have finished.

How it works

The whole job is done by 3 processes:

First, you must capture the network traffic like described above. Then use one of the commands:

... | mkw-ana log --md  DATAFILE
... | mkw-ana log --php DATAFILE
mkw-ana --follow DUMPFILE log --md  DATAFILE
mkw-ana --follow DUMPFILE log --php DATAFILE

Each time, a new DATAFILE is written, it must be transferred to the web server. A script using shh, sftp scp or ftp within an endless loop will do this job automatically.
Last not least, a CGI or PHP script running at the web server must read the data files to serve a html-page to the visitors.

To see, what live means, visit the live statistics on Wednesday or Thursday between 19:10 and 20:30 CET (Central European Time).

Links